-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/01/2011 04:16 PM, Trey Dockendorf wrote: > I'm setting up a dedicated database server, and since this will be > a central service to my various web servers I wanted it to be as > secure as possible...so I am leaving SELinux enabled. However I'm > having trouble getting Apache to use mod_auth_pam. I also now > can't get setroubleshootd working to send me notifications of the > denials and provide tips to solve the problem. > > The Apache service has this directive on the default vhost, > ------------------- <Directory "/usr/share/phpMyAdmin"> > AuthPAM_Enabled on AllowOverride None AuthName "HTTP Auth" AuthType > basic require valid-user </Directory> > > When I attempt to authenticate I noticed this in /var/log/secure > -------------------- Nov 1 15:06:58 host httpd: PAM audit_open() > failed: Permission denied > > This is the entry from the audit log... ---------------- type=AVC > msg=audit(1320178016.209:919): avc: denied { create } for > pid=22689 comm="unix_chkpwd" > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 > tclass=netlink_audit_socket type=SYSCALL > msg=audit(1320178016.209:919): arch=c000003e syscall=41 success=no > exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102 > pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" > exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:httpd_t:s0 > key=(null) type=AVC msg=audit(1320178018.386:920): avc: denied { > create } for pid=20102 comm="httpd" > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 > tclass=netlink_audit_socket type=SYSCALL > msg=audit(1320178018.386:920): arch=c000003e syscall=41 success=no > exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102 auid=500 > uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 > tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd" > subj=unconfined_u:system_r:httpd_t:s0 key=(null) > > > As for setroubleshoot, I have a duplicate install working just fine > on another server, or at least it was working. I'm worried > updating to CR may have broken setroubleshootd. Mainly I'd like to > know how to troubleshoot that application. Messagebus is running. > > Running setroubleshootd yields these results... > ------------------- # setroubleshootd -f -V 2011-11-01 15:11:53,919 > [database.DEBUG] created new database: name=audit_listener, > friendly_name=Audit Listener, > filepath=/var/lib/setroubleshoot/audit_listener_database.xml > 2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 > compatible with current 3.0 version 2011-11-01 15:11:53,923 > [plugin.DEBUG] load_plugins() names=['httpd_bad_labels', > 'allow_saslauthd_read_shadow', 'tftpd_write_content', > 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind', > 'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw', > 'allow_java_execstack', 'allow_httpd_sys_script_anon_write', > 'samba_share', 'filesystem_associate', 'fcron_crond', > 'inetd_bind_ports', 'named_write_master_zones', 'qemu_file_image', > 'catchall', 'allow_mplayer_execstack', 'httpd_can_sendmail', > 'httpd_enable_homedirs', 'wine', 'xen_image', > 'secure_mode_policyload', 'allow_execmod', 'disable_ipv6', > 'httpd_can_network_connect_db', 'sys_module', 'bind_ports', > 'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data', > 'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp', > 'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', > 'device', 'catchall_boolean', 'automount_exec_config', 'leaks', > 'setenforce', 'ftpd_is_daemon', 'allow_zebra_write_config', > 'firefox', 'nfs_export_all_ro', 'httpd_enable_cgi', > 'httpd_tty_comm', 'public_content', 'ftp_home_dir', > 'prelink_mislabled', 'allow_execstack', 'spamd_enable_home_dirs', > 'sshd_root', 'samba_share_nfs', 'httpd_builtin_scripting', > 'allow_ftpd_full_access', 'default', 'allow_ftpd_use_nfs', > 'samba_enable_home_dirs', 'restorecon', 'selinuxpolicy', > 'pppd_can_insmod', 'allow_daemons_dump_core', > 'httpd_write_content', 'allow_httpd_anon_write', > 'secure_mode_insmod', 'kernel_modules', 'samba_export_all_ro', > 'httpd_enable_ftp_server', 'allow_postfix_local_write_mail_spool', > 'execute', 'privoxy_connect_any', 'use_nfs_home_dirs', > 'allow_smbd_anon_write', 'sys_resource', 'allow_ftpd_use_cifs', > 'connect_ports', 'swapfile', 'httpd_use_nfs', > 'httpd_can_network_relay', 'allow_cvs_read_shadow', > 'squid_connect_any', 'mounton', 'qemu_blk_image', > 'user_tcp_server', 'restore_source_context'] 2011-11-01 > 15:11:53,923 [plugin.INFO] importing > /usr/share/setroubleshoot/plugins/__init__ as plugins 2011-11-01 > 15:11:55,114 [avc.DEBUG] Number of Plugins = 90 2011-11-01 > 15:11:55,116 [communication.DEBUG] parse_socket_address_list: > input='{unix}/var/run/setroubleshoot/setroubleshoot_server' > 2011-11-01 15:11:55,117 [communication.DEBUG] > parse_socket_address_list: > {unix}/var/run/setroubleshoot/setroubleshoot_server --> > {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None > 2011-11-01 15:11:55,118 [communication.DEBUG] > new_listening_socket: > {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None > 2011-11-01 15:11:55,118 [server.INFO] creating system dbus: > bus_name=org.fedoraproject.Setroubleshootd > object_path=/org/fedoraproject/Setroubleshootd > interface=org.fedoraproject.SetroubleshootdIface 2011-11-01 > 15:11:55,119 [server.DEBUG] dbus __init__ > /org/fedoraproject/Setroubleshootd called 2011-11-01 15:12:05,119 > [server.DEBUG] received signal=14 2011-11-01 15:12:05,119 > [server.DEBUG] KeyboardInterrupt in RunFaultServer 2011-11-01 > 15:12:05,119 [database.DEBUG] writing database > (/var/lib/setroubleshoot/audit_listener_database.xml) > modified_count=0 ------------------------ > > I've found this resource, > http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id4621954, > > but have no idea how to make that change or where that modification would > go. > > Please let me know what other information would be useful. > > Thanks - Trey _______________________________________________ > CentOS mailing list CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Do you have the allow_httpd_mod_auth_pam boolean turned on? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -----END PGP SIGNATURE-----